If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

admin4.nsf

Hello,

I am doing a pentest and have access to among others admin4.nsf. I have access to a window with the title: CROSS DOMAIN REQUEST CONFIGURATION. What can I do here? anything exciting? I have access to stacks of system databases but don't really know what to do with them due to my lack of Lotus knowledge.

Is the penetration test authorized? Does your "target" know that you are testing their security defenses?

From what I can find the admin4.nsf is a database of administration requests. I am not sure how useful or sensitive the information in the database is.

The Cross Domain Request Configuration seems to allow for setting up a replica database on another domain.

With proper knowledge of Lotus Notes and / or database hacking techniques I would think you should be able to view individual emails and calendar / contact data stored on the server.

However, it seems to me from a penetration testing point of view you may have already proved the point. If you can get to the system and see the database files at all in the first place it seems that you succeeded in penetrating the defenses of the server. I don't believe yo need to actually crack the databases and view the internal information to prove that you have penetrated the server.

Well, I wish to get a little deeper into the system really - create a user account and/or as you mentioned, reading calender details would be super. As I said, my knowledge of Lotus is a little thin unfortunately - any help would be of much help.